1 / 53

Modern Cryptography Lecture 3

Modern Cryptography Lecture 3. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

bryony
Download Presentation

Modern Cryptography Lecture 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 3 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Pre-proposal due: Feb 7 • 2nd assignment will be on-line tonight (due: 2/14 2:15 PM) • Study Guide: Quiz this Wednesday • Repeat whatever you have learned, try it by yourself. • Go back to look at discrete math books. • Come and talk to me and TA as much as possible. (Google chat is good!) • Check Calendar

  3. Recap • Math… • Proof techniques • Direct/Indirect proof, Proof by contradiction, Proof by cases, Existential/Universal Proof, Forward/backward reasoning • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n.

  4. Math, Math, Math

  5. Arithmetic Inverse • Let a be an integer. a* is an arithmetic inverse of a modulo n, if a a*  1 mod n. • Suppose that gcd(a, n) =1. Then a has an arithmetic inverse modulo n. • Suppose gcd(a, n) = 1. Then ax  ay mod n  x  y mod n. • x2+1  0 mod 8 has no solution.

  6. Equations • 2x  5 mod 3  2x  2 mod 3  2* 2 x  2* 2 mod 3  x  1 mod 3 (2*  2 mod 3) • 3x  7 mod 5  3x  2 mod 5  3* 3x  3* 2 mod 5  x  4 mod 5 (3* 2 mod 5)

  7. Summary on Congruence • Notation: a≡b (mod m) • Rephrased: m | a-b • Rephrased: a mod m = b • Rephrased: a = b + mk1 for some integer k1 • Every integer is either of the form • 4k, 4k+1, 4k+2, or 4k+3. • 0 mod 4, 1 mod 4, 2 mod 4, or 3 mod 4 • If a≡b (mod m) and c≡d (mod m), then • a+c ≡(b+d) (mod m) • ac ≡ bd (mod m) • Suppose that gcd(a, n) =1. Then a has an arithmetic inverse a* modulo n, i.e. a a* a* a  1 mod n.

  8. Zn, Zn* • Zn = {0, 1, 2, 3, …, n-1} • Zn* = {x | x  Zn and gcd(x, n) = 1}. • Z6= {0, 1, 2, 3, 4, 5} • Z6* = {1, 5} • For a set S, |S| means the number of element in S. • |Zn| = n • |Zn*| = (n)

  9. Cardinality • For finite (only) sets, cardinality is the number of elements in the set • For finite and infinite sets, two sets A and B have the same cardinality if there is a one-to-one correspondence from A to B

  10. Counting • Multiplication rule • If there are n1 ways to do task1, and n2 ways to do task2 • Then there are n1n2 ways to do both tasks in sequence. • Example • There are 18 math majors and 325 CS majors • How many ways are there to pick one math major and one CS major? • Addition rule • If there are n1 ways to do task1, and n2 ways to do task2 • If these tasks can be done at the same time, then… • Then there are n1+n2 ways to do one of the two tasks • How many ways are there to pick one math major or one CS major? • The inclusion-exclusion principle • |A1U A2| = |A1| + |A2| - |A1∩A2|

  11. Permutation, Combination • An r-permutation is an ordered arrangement of r elements of the set: P(n, r), nPr • How many poker hands (with ordering)? • P(n, r) = n (n-1)(n-2)…(n-r+1) = n! / (n-r)! • Combination: When order does not matter… • In poker, the following two hands are equivalent: • A♦, 5♥, 7♣, 10♠, K♠ • K♠, 10♠, 7♣, 5♥, A♦ • The number of r-combinations of a set with n elements, where n is non-negative and 0≤r≤n is: C(n, r) = n! / (r! (n-r)!) • (x+y)n

  12. Probability definition • The probability of an event occurring is: p(E) = |E| / |S| • Where E is the set of desired events (outcomes) • Where S is the set of all possible events (outcomes) • Note that 0 ≤ |E| ≤ |S| • Thus, the probability will always between 0 and 1 • An event that will never happen has probability 0 • An event that will always happen has probability 1

  13. Assigning Probability • S: Sample space • p(s): probability that s happens. • 0  p(s)  1 for each s  S • s  S p(s) = 1 • The function p is called probability distribution • Example • Fair coin: p(H) = 1/2, p(T) = 1/2 • Biased coin where heads comes up twice as often as tail • p(H) = 2 p(T) • p(H) + p(T) = 1  3 p(T) = 1  p(T) = 1/3, p(H) = 2/3

  14. More… • Uniform distribution • Each element s  S (|S| = n) is assigned with the probability 1/n. • Random • The experiment of selecting an element from a sample space with uniform distribution. • Probability of the event E • p(E) = s  E p(s). • Example • A die is biased so that 3 appears twice as often as others • p(1) = p(2) = p(4) = p(5) = p(6) = 1/7, p(3) = 2/7 • p(O) where O is the event that an odd number appears • p(O) = p(1) + p(3) + p(5) = 4/7.

  15. Combination of Events • Still • p(Ec) = 1 - p(E) • p(E1 E2) = p(E1) + p(E2) - p(E1 E2) • E1 E2 =  p(E1 E2) = p(E1) + p(E2) • For all i  j, Ei Ei =  p(iEi) = i p(Ei)

  16. Conditional Probability • Flip coin 3 times • all eight possibility are equally likely. • Suppose we know that the first coin was tail (Event F). What is the probability that we have odd number of tails (Event E)? • Only four cases: TTT, TTH, THT, THH • So 2/4 = 1/2. • Conditional probability of E given F • We need to use F as the sample space • For the outcome of E to occur, the outcome must belong to E  F. • p(E | F) = p(E  F) / p(F).

  17. Bernoulli Trials & Binomial Distribution • Beronoulli trial • an experiment with only two possible outcomes • i.e. 0 (failure) and 1 (success). • If p is the probability of success and q is the probability of failure, p + q = 1. • A biased coin with probability of heads 2/3 • What is the probability that four heads up out of 7 trials?

  18. Random Variable • A random variable is a function from the sample space of an experiment to the set of real numbers. • Random variable assigns a real number to each possible outcome. • Random variable is not variable! not random! • Example: three times coin flipping • Let X(t) be the random variable that equals the number of heads that appear when t is the outcome • X(HHH) = 3, X(THH) = X(HTH) = X(HHT) = 2, X(TTH) = X(THT) = X(HTT) = 1, X(TTT) = 0 • The distribution of a random variable X on a sample space S is the set of pairs (r, p(X=r)) for all r  X(S) • where p(X=r) is the probability that X takes value r. • p(X=3) = 1/8, p(X=2) = 3/8, p(X=1) = 3/8, p(X=0) = 1/8

  19. Expected Value • The expected value of the random variable X(s) on the sample space S is equal to E(X) = s  S p(s) X(s) • Expected value of a Die • X is the number that comes up when a die is rolled. • What is the expected value of X? • E(X) = 1/6 1 + 1/6 2 + 1/6 3 + … 1/6 6 = 21/6 = 7/2 • Three times coin flipping example • X: number of heads • E(X) = 1/8 3 + 3/8 2 + 3/8 1 + 1/8 0 = 12/8 = 3/2

  20. Security: Overview

  21. The main players Eve Yves? Bob Alice

  22. Attacks, Mechanisms, Services • Security Attack: Any action that compromises the security of information. • Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. • Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

  23. Attacks Normal Flow Destination Source Interruption: Availability Interception: Confidentiality Destination Destination Source Source Modification: Integrity Fabrication: Authenticity Destination Destination Source Source

  24. Taxonomy of Attacks • Passive attacks • Eavesdropping • Traffic analysis • Active attacks • Masquerade • Replay • Modification of message content • Denial of service

  25. Security Services • Confidentiality or privacy • keeping information secret from all but those who are authorized to see it. • Data Integrity • ensuring information has not been altered by unauthorized or unknown means. • Entity authentication or identification • corroboration of the identity of an entity • Message authentication • corroborating the source of information • Signature • a means to bind information to an entity. • Authorization, Validation, Access control, Certification, Timestamping, Witnessing, Receipt, Confirmation, Ownership, Anonymity, Non-repudiation, Revocation

  26. Big picture Trusted third party (e.g. arbiter, distributor of secret information) Bob Alice Information Channel Message Message Secret Information Secret Information Eve

  27. More details • Little maths • Taxonomy • Definitions

  28. Little Maths :-) • Function • f : X  Y is called a function f from set X to set Y. • X: domain, Y: codomain. • for y = f(x) where x  X and y  Y • y: image of x, x: preimage of y • Im(f): the set that all y  Y have at least one preimage • 1 − 1 if each element in Y is the image of at most one element in X. • onto if Im(f) =Y • bijection if f is 1−1 and onto.

  29. (Trap-door) One-way function • one-way function if • f(x) is easy to compute for all x  X, but • it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if • given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  30. Taxonomy of crypto primitives Arbitrary length hash functions Unkeyed Primitives One-way permutations Random sequences Block ciphers Symmetric-key ciphers Stream ciphers Arbitrary length hash functions(MACs) Security Primitives Symmetric-key Primitives Signatures Pseudorandom sequences Identification primitives Public-key ciphers Public-key Primitives Signatures Identification primitives

  31. Terminology for Encryption • M denotes a set called the message space • M consists of strings of symbols from an alphabet • An element of M is called a plaintext • C denotes a set called the ciphertext space • C consists of strings of symbols from an alphabet • An element of C is called a ciphertext • K denotes a set called the key space • An element of K is called a key • Ee is an encryption function where e  K • Dd called a decryption function where d  K

  32. Symmetric-key encryption • Encryption scheme is symmetric-key • if for each (e,d) it is easy computationally easy to compute e knowing d and d knowing e • Usually e = d • Block Cipher • Breaks plaintext into block of fixed length • Encrypts one block at a time • Stream Cipher • Takes a plaintext string and produces a ciphertext string using keystream • Block cipher with block length 1

  33. Symmetric Key Encryption • Why do we use key? • Or why not use just a shared encryption function? Adversary c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  34. SKE with Secure Channel Adversary e Secure channel Key source e c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  35. Public-key Encryption (Crypto) • Every entity has a private key SKand a public key PK • Public key is known to all • It is computationally infeasible to find SK from PK • Only SK can decrypt a message encrypted by PK • If A wishes to send a private message M to B • A encrypts M by B’s public key, C = EBPK(M) • B decrypts C by his private key, M = DBSK(C)

  36. PKE with Insecure Channel Passive Adversary e Insecure channel Key source d c Insecure channel Encryption Ee(m) = c Decryption Dd(c) = m m m Plaintext source destination Alice Bob

  37. e e’ Ee’(m) e Ee(m) Public key should be authentic! • Need to authenticate public keys Ee(m)

  38. Digital Signatures • Primitive in authentication and non-repudiation • Signature • Process of transforming the message and some secret information into a tag • Nomenclature • M is set of messages • S is set of signatures • SA is signature transformation from M to S for A, kept private • VA is verification transformation from M to S for A, publicly known

  39. Definitions • Digital Signature - a data string which associates a message with some originating entity • Digital Signature Generation Algorithm – a method for producing a digital signature • Digital signature verification algorithm – a method for verifying that a digital signature is authentic (i.e., was indeed created by the specified entity). • Digital Signature Scheme - consists of a signature generation algorithm and an associated verification algorithm

  40. Digital Signature with Appendix • Schemes with appendix • Requires the message as input to verification algorithm • Rely on cryptographic hash functions rather than customized redundancy functions • DSA, ElGamal, Schnorr etc.

  41. Mh x S VA u 2{True, False} Digital Signature with Appendix M Mh S SA,k h m mh s* s* = SA,k(mh) u = VA(mh, s*)

  42. Hash function and MAC • A hash function is a function h • compression — h maps an input x of arbitrary finite bitlength, to an output h(x) of fixed bitlength n. • ease of computation — h(x) is easy to compute for given x and h • Properties • one-way: for a given y, find x’ such that h(x’) = y • collision resistance: find x and x’ such that h(x) = h(x’) • MAC (message authentication codes) • both authentication and integrity • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance: given (x’,hk(x’)) it is infeasible to compute a new pair (x, hk(x)) for any new x x’

  43. Message Authentication Code MAC • MAC is a family of functions hk • ease of computation (if k is known !!) • compression, x is of arbitrary length, hk(x) has fixed length • computation resistance: given (x’,hk(x’)) it is infeasible to compute a new pair (x, hk(x)) for any new x x’ • Typical use • A ! B: (x, H = hk(x)) • B: verifies if H = hk(x) • Properties • Without k, no one can generate valid MAC. • Without k, no one can verify MAC. • both authentication and integrity

  44. Authentication • How to prove your identity? • Prove that you know a secret information • When key K is shared between A and Server • A  S: HMACK(M) where M can provide freshness • Why freshness? • Digital signature? • A  S: SigSK(M) where M can provide freshness • Comparison?

  45. Encryption and Authentication • EK(M) • Redundancy-then-Encrypt: EK(M, R(M)) • Hash-then-Encrypt: EK(M, h(M)) • Hash and Encrypt: EK(M), h(M) • MAC and Encrypt: Eh1(K)(M), HMACh2(K)(M) • MAC-then-Encrypt: Eh1(K)(M, HMACh2(K)(M))

  46. Key Management Through SKE • Each entity Ai shares symmetric key Ki with a TTP • TTP generates a session key Ks and sends EKi(Ks) • Pros • Easy to add and remove entities • Each entity needs to store only one long-term secret key • Cons • Initial interaction with the TTP • TTP needs to maintain n long-term secret keys • TTP can read all messages • Single point of failure

  47. Authentication • Authentication • Message (Data origin) authentication • provide to one party which receives a message assurance of the identity of the party which originated the message. • Entity authentication (identification) • one party of both the identity of a second party involved, and that the second was active at the time the evidence was created or acquired.

  48. Key Management • Key establishment • Process to whereby a shared secret key becomes available to two or more parties • Subdivided into key agreement and key transport. • Key management • The set of processes and mechanisms which support key establishment • The maintenance of ongoing keying relationships between parties

  49. Key Management Through SKE • Pros • Easy to add and remove entities • Each entity needs to store only one long-term secret key • Cons • Initial interaction with the TTP • TTP needs to maintain n long-term secret keys • TTP can read all messages • Single point of failure KA, KB 1. A, B 2. EKA(SK), EKB(SK) 3. ESK(“Hi”), EKB(SK) 4. ESK(“Hi, Alice”) KA KB

  50. Key Management Through PKE • Advantages • TTP not required • Only n public keys need to be stored • The central repository could be a local file • Problem • Public key authentication problem • Solution • Need of TTP to certify the public key of each entity 0xDAD12345 Alice 0xBADD00D1 Bob 1. Alice, PKA 2. Bob, PKB SKA,PKA SKB,PKB

More Related